WordPress quickly patches critical vulnerability that made it easy to hijack websites with a comment

WordPress has rushed out a patch today after news emerged of a critical cross-site scripting (XSS) flaw, found in the default installation of its widely used content managing system, was affecting millions of websites. The flaw, disclosed by Finland-based security research firm Klikki Oy, makes it possible for an attacker to gain complete control of the administration area and even the web server that WordPress is running on though the comments system.

Current WordPress installations including versions 4.2, 4.1.2, and 4.1.1 on MySQL versions 5.1.53 and 5.5.41 are affected. The exploit is triggered by posting some simple JavaScript code as a comment along with 64 kilobytes worth of text -- or about 65,535 characters. If the comment is long enough, the database will truncate its contents and display malformed HTML onto the webpage, while silently running the malicious JavaScript.

Once a website is compromised, attackers are free to hijack users’ passwords and perform pretty much any action that requires administrator privileges.

Although this could potentially affect millions of websites there are a couple of limiting factors. First, unless commenting privileges are deliberately left open, the malicious comment would need to be approved by an administrator first in order to be executed. While it’s unlikely that random gibberish would be approved, attackers can work around this by getting a normal comment approved first, and subsequent comments would be approved by default.

The second thing to keep in mind is that sites that use the Akismet plug-in are not affected, which is the “vast majority of WordPress-powered sites” according to Automattic CEO Matt Mullenweg, who downplayed the risk. He also claims WordPress had no prior warning about the XSS flaw, something Klikki Oy refutes saying many attempts were made since November.

In any case, administrators are advised to upgrade to WordPress version 4.2.1 to avoid any potential damage. The update comes just one week after WordPress released version 4.2, which fixed a similar XSS flaw.